The Privacy Rights Clearinghouse1 appreciates the opportunity to contribute to the California Department of Insurance (CDI) discussion about pay-as-you-drive (PAYD) automobile insurance. We are joined in these comments by the San Francisco-based consumer organization, PrivacyActivism. It is appropriate that CDI inject privacy into this discussion before regulations are proposed. Any regulations adopted must ensure that California drivers are not faced with the choice of reducing automobile insurance costs or paying a premium for privacy.

Few would argue with the benefits to be derived from less automobile traffic. High fuel costs, environmental concerns, safety, and productivity lost to congestion are sound reasons to aim for reduced traffic. PAYD insurance policies are based on the principle that financial incentives will encourage drivers to use public transportation, carpool, or simply drive less.

PAYD insurance also includes an element of fairness — at least for drivers in areas with public transportation or other alternative means of getting around. Since rates and premiums are based on actual miles driven, low-mileage drivers like retirees do not subsidize the long-haul commuter. Mileage-based pricing of insurance can allow for the customization of insurance premiums to more accurately reflect risks based on actual vehicle usage. In principle, this may reduce the cross-financing of high-risk drivers by low-risk ones and increase fairness of insurance systems.

However, some forms of mileage-based pricing could facilitate policyholder surveillance and potentially have a chilling effect to the privacy rights of motorists. These issues are further aggravated by governmental interests in acquiring this data from insurance carriers.

2. Onboard technology

Along with the potential good to come from reduced driving through PAYD insurance, there is a real risk that insurers will base attractive premiums on consumers’ willingness to accept onboard devices that record much more than miles traveled. Depending on the technology used, devices installed on personal automobiles may track speed, location, duration of a trip, acceleration and deceleration, time of day the trip was made, the identity of the driver, use of mobile phones and more. Once installed, a device originally set to track one driving element may be altered to add additional functions.

From a privacy standpoint, GPS (global positioning satellite) technology is by far the most intrusive technology that can be installed on an individual’s automobile. While other devices collect far less data than GPS systems, it does not take a giant leap in imagination to envision the day when GPS could be the standard device required by insurers for PAYD policies.

GPS data can be used to draw numerous inferences about an individual through a simple click of a button. These inferences can be used to harm an individual and may prove embarrassing to him/her when revealed publicly. Allegedly less intrusive non-GPS based technologies present similar concerns. For example, other technologies may take data from the car's On-Board Diagnostic (OBDII) port. This can be used to compile individual trip statistics including start and end time, miles driven, number of aggressive braking and acceleration events, and vehicle speed.

If PAYD policies are offered only through an onboard device, insurers may very well take a “little-at-a-time” approach. That is, as drivers become accustomed to onboard devices, they will be more willing to accept increasingly intrusive technology, particularly if the new technology saves them money. Without a doubt, drivers most susceptible to accepting intrusive devices for a reduced premium would be low-wage earners, people surviving on disability payments or other fixed income, the recently unemployed, head of single-parent households and anyone else who now struggles to pay the premiums for state-mandated insurance. It would truly be an unfortunate result if California drivers are one day required to give up privacy rights for affordable insurance policies.

3. What data would be required?

In announcing the June 23, 2008, PAYD workshop, CDI poses the following privacy-related questions: “What data would be required?” and “How would the data be used?”

The answer to the first question is quite simple. California Insurance Code (CIC) section 1861.02(a) requires three mandatory factors2, the second of which is “the number of miles [the insured] drives annually.” To satisfy this factor, the only data required is an odometer reading between specified points in time. If, as seems to be assumed, drivers cannot be trusted to properly report odometer readings, the function could easily be performed by an independent third party.

Currently there are numerous licensed mechanics authorized in all areas of the state to conduct smog checks when checks are required for annual registration. Facilities designated as authorized smog check stations could easily add the means for providing an odometer reading. Drivers could either be given a certificate of mileage for transfer to their insurance company, or the information could be transmitted electronically, given adequate encryption to protect personal information. Such a system would be of little cost to California drivers, both in terms of money or threats to privacy.

4. How would (or could) data be used? Information creep

The Department’s second question, how would the data be used, is not so easily answered. If drivers are required to accept onboard tracking devices such as GPS technology as a condition for a PAYD discount, the only answer to CDI’s question is that no one knows how the data would eventually be used.

Perhaps the real question to be asked is: How could the data be used? As anyone familiar with informational privacy in the age of technology well knows, data collected for one purpose will sooner or later surely be used for another purpose.

Secondary uses for data, sometimes called “information creep,” or “function creep,” or “mission creep” means that data collected may have untold uses beyond those originally intended. Any data collected by insurance companies would be subject to subpoena, and if subpoenaed, the insurance carrier would be required to comply with legal process. Personal driving data could thus be made available to both governmental entities and civil litigants. Take the case of the Pennsylvania lawyer who used E-Z Pass toll plaza records to prove her client’s cheating husband was not where he said he was on a certain date and time.3 According to news articles, it is now fairly common in divorce cases to subpoena E-Z Pass toll booth records.

Some might say that the scoundrels get what they deserve. But the lesson to be learned from the E-Z Pass cases is not how to catch a cheating partner. Rather, the use of E-Z Pass records is a perfect example of “information creep.” Once electronic footprints are laid down, the potential uses are only limited to the imagination of one who seeks to collect and use an individual’s data for whatever reason.

5. California's Insurance Information and Privacy Protection Act

Insurers doing business in California must follow the Insurance Information and Privacy Protection Act (IIPPA) (Ins Code 791-791. Section 791.13 generally prohibits disclosure of information about an individual collected or received in connection with an insurance transaction unless the disclosure is authorized in writing. The IIPPA, however, creates a number of exceptions. For example, an individual’s authorization is not required if the disclosure is:

Made to a law enforcement or other governmental authority pursuant to law (Section 791.13(f))

Otherwise permitted or required by law. (Section 791.13(g))

In response to a facially valid administrative or judicial order, including a search warrant or subpoena. (Section 791.13(h))

Thus, California drivers who want to save money by accepting an onboard tracking device could, among other things, unintentionally be opening themselves up to a universe of “free discovery.”

But litigation is just one of the potential secondary uses of data that track a driver’s habits. Marketers are ever adept at tailoring an unending array of products and services to consumers’ behavior. The IIPPA also allows disclosure, without authorization, to a person whose only use of such information will in connection with the marketing of a product or service, provided the individual is given an opportunity to opt out. (Section 791.13(k))

6. CDI should not allow insurers to charge a privacy premium

Some drivers, even people unconcerned with potential secondary uses of their data, may simply resist an onboard device for fundamental privacy reasons. For many people, their car is their refuge, a place to listen to favorite music alone or just ponder the events of the day. Intrusions of any sort would be unwelcome, especially an electronic device capturing various data.

If CDI decides to permit insurers to offer PAYD insurance in California, policies should not be contingent on a driver’s willingness to install onboard data collection devices. In fairness to drivers who want to guard their privacy, a simple odometer reading should warrant no higher insurance premium than an installed device. To allow disparate pricing based on a driver’s acceptance of onboard data collection would be tantamount to a privacy premium, a penalty that should not be imposed on any California driver.

7. Recommendations

If carefully introduced, there is reason to believe that PAYD insurance can exist in California without sacrificing privacy rights. To accomplish this goal, we offer the following recommendations:

Official odometer-reading services should be added to the services provided by smog stations and Department of Motor Vehicle offices. These would enable drivers to visit such an office, have the odometer read, and report readings to insurers.

Minimal costs associated with simple odometer readings could be paid by the consumer or added to the total premium. These should realistically amount to no more than a few dollars per year.

PAYD policies should be offered on a voluntary basis only.

Consumers who decline PAYD policies that include onboard technology should not be charged higher rates and premiums.

If insurers offer PAYD policies associated with onboard technology, drivers should receive notice of the exact data to be collected.

A driver who agrees to onboard data collection devices should be given precise disclosures about how the data will be used by the insurer as well as potential secondary uses for the data.

That study demonstrates an easy way to protect driver privacy while using an effective PAYD system. This can be done by calculating the insurance premium directly inside an onboard electronic unit and then transmitting only aggregate data to the insurance companies. This process provides for privacy protection since it is not necessary to transfer any additional data outside the vehicle. This is what the authors of the report refer to as "PriPAYD: Privacy Friendly Pay-As-You-Drive".

8. Conclusion

As CDI considers adopting PAYD insurance regulations for California drivers, we urge it to make privacy rights an integral part of the process. Again, we appreciate the opportunity to join the CDI’s consideration of PAYD insurance.

1 The Privacy Rights Clearinghouse is a nonprofit consumer education and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including financial privacy, medical privacy and identity theft, through a series of fact sheets as well as individual counseling available via telephone and e-mail. It represents consumers’ interests in legislative and regulatory proceedings on the state and federal levels. www.privacyrights.org

2 Section 1861.04 identifies the three factors, to be applied in decreasing order of importance, as: (1) The insured's driving safety record. (2) The number of miles he or she drives annually. (3) The number of years of driving experience the insured has had.